Friday, 19 December 2008

dataxtream writes 'The world's first refrigerated beach is to be built at a luxury hotel in Dubai, located along the southern coast of the Persian Gulf. The beach will include heat-absorbing pipes under the sand along with large wind blowers, which will keep tourists cool and guard their feet against the hot sand. Half of me says these guys need a reality check, the other half wants to go there.' I believe I've just thought of a way we could solve this whole global warming thing I've been hearing about.

Wednesday, 17 December 2008

What to do now

Now that a European Court has decided that the retention of the DNA of innocent people is illegal - what should you do now?

Earlier this month, 17 judges on the Grand Chambers of the European Court of Human Rights (ECHR) ruled unanimously that the UK is in violation of the right to respect for private and family life (Article 8) by retaining the fingerprints, DNA samples and profiles of Messrs S and Marper. Mr S was arrested at the age of 11 and charged with attempted robbery. Mr Michael Marper was arrested and charged with harassment of his partner. Both were arrested in 2001, and both had their fingerprints and DNA samples taken. Later that same year Mr S was acquitted and the case of Mr Marper was formally discontinued, as he and his partner had become reconciled and the charge was not pressed.

The court foundthat the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate interference with the applicants' right to respect for private life and cannot be regarded as necessary in a democratic society.

Let's look at the consequences of this ruling. What you can you do - as soon as you've finished reading this article - and what is the likely impact on legislation and policies?

Don't delay - delete your DNA today

The ruling clearly affects the retention by England, Wales and Northern Ireland police forces of fingerprints and DNA samples, and derived DNA profiles of both those who have been acquitted and those for which a decision of no further action (NFA) was taken. If you are among the estimated 573,639 to 857,366 innocents whose DNA profile is on the National DNA Database (NDNAD), you should act now. Don't wait until the time the police will have to weed out these records and samples.

Writing to the chief of police

The first step is to write to the chief of police of the force that arrested you. This may seem obvious, but several responses to freedom of information (FOI) requests we sent out as part of the research for this article, before the outcome of the S and Marper UK case was known, reveal that few individuals have gone to the trouble of asking.

At one extreme, the Warwickshire Police force has not received any requests in the last three years even though they contributed 12,263 DNA profiles to the NDNAD in the same period. At the other end of the scale, the Metropolitan Police, which in the past three years has contributed 85,305 DNA profiles, close to a fifth of the DNA profiles added by all English and Welsh forces to the NDNAD, received only 23, 64 and 110 requests for the removal of DNA profiles from the NDNAD, and granted 11, 18 and 21 of these respectively for 2006, 2007 and 2008 (up to the end of November).

Even though the West Midlands Police has in recent years arrested for recorded crimes about a third the number the Met has, it has received a similar number of requests for removal: 58, 49 and 83, and granted 25, 7 and 28 of these respectively for 2006, 2007 and 2008 (to November 21). For forces with fewer arrests such as the Cheshire, Durham or Gwent Constabularies, you can count the number of requests granted, since recording them started, on one hand. Police guidelines (the Retention Guidelines for Nominal Records on the Police National Computer) ensured that received requests to get off the NDNAD were granted only exceptionally. As a consequence of the ruling, the exceptional will have to become the norm.

Several forces do not keep a tally of the requests they receive. For example, the Northamptonshire Police responded to our request for details: "There is no single database holding the information requested. Some information may be held on individual custody records but manual examination would take the request over the cost limit and any results would not be conclusive in any case." One force, the Derbyshire Constabulary decided "As a result of your request [I] have asked the staff who deal with exceptional cases to consider making a record of requests and decisions."

Dr Helen Wallace, Director of GeneWatch UK, a not-for-profit organisation that monitors developments in genetic technologies from a public interest perspective, which provided expert evidence on behalf of Messrs S and Marper to the ECHR, commented on the ruling: "[This] landmark decision vindicates all those innocent people who have struggled to get their DNA destroyed. It means that there must be strict new rules to limit DNA retention and prevent misuse."

How to write a formal request

Having decided to write to request destruction of your fingerprints and DNA samples, deletion of your DNA profile and deletion or updating of any other database records linking to this information, the next step is to figure out what you should write. You need to include enough information so the police can identify you, the circumstances in which you were arrested (and your fingerprints and DNA samples were taken), details of the NFA decision or of your acquittal, and the reason you are requesting your records to be deleted and your samples to be destroyed.

This initial letter doesn't have to be long but it must be precise otherwise the police won't be able to deal with it. In its FOI response, the Cheshire Constabulary explained that it "receives numerous 'requests' for the removal of DNA, [t]he majority of which could not be considered formal request as when asked why we should consider their request, they simply do not respond or they actually mean something different. We would seek to clarify requests to establish the identity of the requestor and the reasons why they are requesting removal of data. This is well before we can actually consider the merits of a request and whether or not it fits the requirements of the Exceptional Cases procedure."

GeneWatch suggests this as a reason to "[a]sk for them to remove your records and destroy your DNA in the light of the judgment of the European Court of Human Rights". You may want to send a copy of the letter to your MP and a copy of any reply to GeneWatch (and let us know how it goes as well).

Another suggestion is that you may also want to argue for the police to remove your records and destroy your DNA samples in "other cases (e.g. cautions, final warnings, spent minor convictions)". Although the ECHR decision only covers people who have not been convicted, it makes clear that an interference with personal informational privacy such as the retention and use of profiles and samples must be indispensable and proportionate with the legitimate aim of the criminal justice system (i.e., the seriousness of the offence).

The Court cannot, however, disregard the fact that, notwithstanding the advantages provided by comprehensive extension of the DNA database, other Contracting States have chosen to set limits on the retention and use of such data with a view to achieving a proper balance with the competing interests of preserving respect for private life... The Court considers that any State claiming a pioneer role [as the UK is] in the development of new technologies bears special responsibility for striking the right balance in this regard.

If you're in a situation where you find this balance has not been achieved, for example the indefinite retention for children given reprimands, then you may also benefit from this ruling.

Taking into account the ECHR ruling, the police are now likely to accept all legitimate requests as they would be in a very weak position if an innocent person were to seek a judicial review in case of refusal. Due to the small number of requests granted prior to the ruling, the actual deletions from the NDNAD and the Police National Computer (PNC) and destruction of samples is a very ad-hoc process. The Met promised a process last year and eventually did publish one (pdf), but it was not worth the wait.

Here's the process they go through: "If the decision to delete has been made, the Exceptional Cases Unit will contact the respective departments and agencies to ensure that the DNA, fingerprints and PNC records are deleted/destroyed accordingly."

The National Police Improvement Agency (NPIA) realises that "following the judgement last week in the S & Marper case heard at the European Court of Human Rights the DNA sample retention and destruction requirements are being reviewed." At least, once a DNA profile has been deleted from the database, it would appear that these transactions are propagated to all backups in short time:

The NDNAD has both a regular internal and a regular off-site back-up procedure. All transactions carried out on the NDNAD are backed up each working day. The deletion of profiles from the NDNAD would be treated the same as any other NDNAD transaction within this back-up procedure. Any record of a DNA profile will also be removed from all back-up media within 10 days of its deletion from NDNAD.

Until a comprehensive process is published giving stronger confidence in the deletion process, once you get confirmation that your request has been granted you may want to ask to be present when the physical samples are destroyed and electronic data is deleted and updated. If you go for this, ask speedily or possibly even with your request letter, as in my case the deletion process was started before informing me of the decision!

Observing the process by a large number of individuals would be costly in time and money; an easier alternative would be for the labs used by the police to generate DNA profiles from the samples taken from individuals to systemically destroy the DNA samples once a DNA profile has been derived. The DNA samples are not used for identification.

Saturday, 6 December 2008

Have you ever wondered whether the wifi data you send and receive with your iPhone or iPod touch at the local coffee shop or airport is secure? Well, I bet if you hadn't wondered that before, you are now. It's easy to forget that inside that cute little handheld device live the guts of an actual computer, and likely a lot of personal data. Depending on your surfing habits, you could be sending and receiving personal information in a non-secure way over public wifi.

If you're concerned about your data's safety, consider using Anchorfree's Hotspot Shield free VPN service. Hotspot Shield has been a great way to lock down your laptop's wifi for a long time now, and just recently they have released instructions on how to take advantage of their service on an iPhone / iPod touch. Pleasantly, the service does not require that a program be downloaded to your device, but rather takes advantage of the iPhone and iPod touch's built-in VPN functionality.

My only gripe with Hotspot Shield is that it can sometimes be challenging to get the VPN to successfully connect. Anchorfree recommends performing a quick reboot of your device to get your connection going, but in my experience even that can be a hit-or-miss scenario. But it's still better than letting that creepy guy that keeps hitting on the barista peruse my http requests. 'Cause I'm not paranoid, but I'm sure that's what he's doing.